def test_non_admin_cannot_fetch_used_limits_for_any_other_project(self):
project_id = "123456"
user_id = "A1234"
tenant_id = "abcd"
self.fake_context.project_id = project_id
self.fake_context.user_id = user_id
obj = {
"limits": {
"rate": [],
"absolute": {},
},
}
target = {
"project_id": tenant_id,
"user_id": user_id
}
fake_req = FakeRequest(self.fake_context)
fake_req.GET = {'tenant_id': tenant_id}
self.ext_mgr.is_loaded('os-used-limits-for-admin').AndReturn(True)
self.authorize_for_admin(self.fake_context, target=target). \
AndRaise(exception.PolicyNotAuthorized(
action="compute_extension:used_limits_for_admin"))
self.mox.ReplayAll()
res = wsgi.ResponseObject(obj)
self.assertRaises(exception.PolicyNotAuthorized, self.controller.index,
fake_req, res)
def test_non_admin_cannot_fetch_used_limits_for_any_other_project(self):
project_id = "123456"
user_id = "A1234"
tenant_id = "abcd"
self.fake_context.project_id = project_id
self.fake_context.user_id = user_id
obj = {
"limits": {
"rate": [],
"absolute": {},
},
}
target = {"project_id": tenant_id, "user_id": user_id}
fake_req = FakeRequest(self.fake_context)
fake_req.GET = {'tenant_id': tenant_id}
if self.ext_mgr is not None:
self.ext_mgr.is_loaded('os-used-limits-for-admin').AndReturn(True)
self.mock_can.side_effect = exception.PolicyNotAuthorized(
action=self.used_limit_extension)
self.mox.ReplayAll()
res = wsgi.ResponseObject(obj)
self.assertRaises(exception.PolicyNotAuthorized, self.controller.index,
fake_req, res)
self.mock_can.assert_called_once_with(ul_policies.BASE_POLICY_NAME,
target)
def enforce(context, action, target):
"""Verifies that the action is valid on the target in this context.
:param context: nova context
:param action: string representing the action to be checked
this should be colon separated for clarity.
i.e. compute:create_instance
compute:attach_volume
volume:attach_volume
:param object: dictionary representing the object of the action
for object creation this should be a dictionary representing the
location of the object e.g. {'project_id': context.project_id}
:raises: `nova.exception.PolicyNotAllowed` if verification fails.
"""
init()
match_list = ('rule:%s' % action, )
credentials = context.to_dict()
try:
policy.enforce(match_list, target, credentials)
except policy.NotAuthorized:
raise exception.PolicyNotAuthorized(action=action)
def test_non_admin_cannot_fetch_used_limits_for_any_other_project(self):
project_id = "123456"
user_id = "A1234"
tenant_id = "abcd"
self.fake_context.project_id = project_id
self.fake_context.user_id = user_id
obj = {
"limits": {
"rate": [],
"absolute": {},
},
}
target = {"project_id": tenant_id, "user_id": user_id}
fake_req = FakeRequest(self.fake_context)
fake_req.GET = webob.request.MultiDict({'tenant_id': tenant_id})
self.mock_can.side_effect = exception.PolicyNotAuthorized(
action=self.used_limit_extension)
res = wsgi.ResponseObject(obj)
self.assertRaises(exception.PolicyNotAuthorized, self.controller.index,
fake_req, res)
self.mock_can.assert_called_once_with(ul_policies.BASE_POLICY_NAME,
target)
def _test_core_authorizer_throws_exception_if_policy_fails(
self, rule, authorize):
target = {'project_id': '1234', 'user_id': '5678'}
self.mox.StubOutWithMock(nova.policy, 'enforce')
nova.policy.enforce(self.fake_context, rule, target).AndRaise(
exception.PolicyNotAuthorized(action=rule))
self.mox.ReplayAll()
self.assertRaises(exception.PolicyNotAuthorized,
authorize,
self.fake_context,
target=target)
def test_unlock_not_authorized(self):
self.mox.StubOutWithMock(self.compute_api, 'unlock')
instance = self._stub_instance_get()
self.compute_api.unlock(self.context, instance).AndRaise(
exception.PolicyNotAuthorized(action='unlock'))
self.mox.ReplayAll()
body = {}
self.assertRaises(self.authorization_error, self.controller._unlock,
self.req, instance.uuid, body)
def test_unlock_not_authorized(self):
self.mox.StubOutWithMock(self.compute_api, 'unlock')
instance = self._stub_instance_get(objects=False)
self.compute_api.unlock(self.context, instance).AndRaise(
exception.PolicyNotAuthorized(action='unlock'))
self.mox.ReplayAll()
res = self._make_request('/servers/%s/action' % instance['uuid'],
{'unlock': None})
self.assertEqual(403, res.status_int)
def test_core_authorizer_throws_exception_if_policy_fails(self):
target = {'project_id': '1234', 'user_id': '5678'}
self.mox.StubOutWithMock(nova.policy, 'enforce')
nova.policy.enforce(self.fake_context, "compute:used_limits_for_admin",
target).AndRaise(
exception.PolicyNotAuthorized(
action="compute:used_limits_for_admin"))
self.mox.ReplayAll()
authorize = base_extensions.core_authorizer('compute',
'used_limits_for_admin')
self.assertRaises(exception.PolicyNotAuthorized,
authorize,
self.fake_context,
target=target)
def test_unlock_not_authorized(self):
instance = self._stub_instance_get()
body = {}
with mock.patch.object(
self.compute_api, 'unlock',
side_effect=exception.PolicyNotAuthorized(
action='unlock')) as mock_unlock:
self.assertRaises(self.authorization_error,
self.controller._unlock,
self.req, instance.uuid, body)
mock_unlock.assert_called_once_with(self.context, instance)
self.mock_get.assert_called_once_with(self.context, instance.uuid,
expected_attrs=None)
def test_non_admin_cannot_fetch_used_limits_for_any_other_project(self):
project_id = "123456"
user_id = "A1234"
tenant_id = "abcd"
target = {"project_id": tenant_id, "user_id": user_id}
req = fakes.HTTPRequest.blank('/?tenant_id=%s' % tenant_id)
context = nova.context.RequestContext(user_id, project_id)
req.environ["nova.context"] = context
self.mock_can.side_effect = exception.PolicyNotAuthorized(
action="os_compute_api:os-used-limits")
self.assertRaises(exception.PolicyNotAuthorized,
self.view_builder.build, req, self.absolute_limits)
self.mock_can.assert_called_with(ul_policies.BASE_POLICY_NAME, target)
def test_network_create_exception_policy_failed(self):
ex = exception.PolicyNotAuthorized(action='dummy')
expex = webob.exc.HTTPForbidden
self._test_network_create_exception(ex, expex)
def fake_authorize(context, target=None, action=None):
raise exception.PolicyNotAuthorized(action='index')
def fake_func():
raise exception.PolicyNotAuthorized(action="foo")
def fake_unlock(*args, **kwargs):
raise exception.PolicyNotAuthorized(action='unlock')